Zabbix is a populair tool for monitoring servers, services and network
equipment. For monitoring hosts, Zabbix provides an agent that can be
installed on the hosts that must be monitored.

Based on the supplied documentation and some remarks on the internets,
the 'security' of Zabbix agents seems to rely on an IP-filter. It only accepts
traffic from a specific IP-address. However, the protocol that is used between
the Zabbix server and agents is unencrypted and does not seem to employ any
additional authentication.

With a man-in-the-middle attack, pretending to be the Zabbix server, you would
be able to compromise all servers running Zabbix. If remote commands are
enabled on these hosts, the damage that could be done may be something you
don't want to think about. Or maybe you do. Although it is true that for such
an attack to be possible, as an attacker you need access to a system within
the same network (VLAN) as the server, but none the less, it is just not
secure.

Personally I don't think that Zabbix is suitable for high-security
environments, due to the lack of encryption of sensitive data and the weak
authentication mechanism.

Zabbix should employ at least SSL as a means for encrypted transport and use a
password or shared secret for authentication. Even better would be the use of
client-side certificates such as implemented by the system management tool
Puppet.

[update]

Please note that Nagios agents also seem to work this way, but I have no
experience with Nagios so I can't say for sure.